WebApp Sec mailing list archives

Re: IIS session cookies


From: securityarchitect () hush com
Date: Sat, 7 Dec 2002 18:51:48 -0800


Not knowing much about Windows, ASP or .NET, does IIS allow you to

Set sessionID length ? If so how ?

How does it move users from a non-SSL session to a SSL session (ie does a new value get set) ?

On Fri, 06 Dec 2002 07:18:35 -0800 Kevin Spett <kspett () spidynamics com> wrote:
From http://www.securiteam.com/windowsntfocus/6C00L003GA.html:

"LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit 
session ID
(see later for how session ID is created)
Session ID is created from a random seed number that is generated 
when the
system starts up). The random seed is incremented every time a new 
session
starts. Note that the "munge" doesn't increment in the same way 
that the
Session ID does.
Since the 8 char string after ASPSESSIONID is a "munge" of the process 
ID it
will be (a) the same for all "In-process" applications (b) a different 
value
is shared for all "Medium isolation (pooled)" applications and (c) 
unique
for each Out-of-process application."

From
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html/
aspwsm.asp:

"The following steps are taken when generating ASP session cookies:
* Session ID values are 32-bit long integers.
* Each time the Web server is restarted, a random Session ID starting 
value
is selected.
* For each ASP session that is created, this Session ID value is
incremented.
* The 32-bit Session ID is mixed with random data and encrypted 
to generate
a 16-character cookie string. Later, when a cookie is received, 
the Session
ID can be restored from the 16-character cookie string (ASPSESSIONID).
* The encryption key used is randomly selected each time the Web 
server is
restarted."

I don't know for sure, but I'm guessing that they're using CryptGenRandom
for the PRNG, which uses mouse & keyboard events timing, system 
clock,
system time, system counter, memory status, free disk clusters, 
etc.  To my
knowledge, it's sufficiently "random" to make them unpredictable 
in
practical terms.

Hope that helps.



Kevin Spett
SPI Labs
http://www.spidynamics.com/


----- Original Message -----
From: "Cade Cairns" <cairnsc () securityfocus com>
To: "Kevin Spett" <kspett () spidynamics com>
Cc: <webappsec () securityfocus com>
Sent: Friday, December 06, 2002 2:48 AM
Subject: Re: IIS session cookies


I'm curious whether the ASPSESSIONID value generated is predictable 
and if
so, to what extent.

Cade Cairns
Symantec Corporation

On Thu, 5 Dec 2002, Kevin Spett wrote:

What do you mean by "IIS session cookies"?  Do you mean the 
ASPSESSIONID
feature? And what do you mean by formed?  Are you talking about 
the PRNG
behind it, or how a developer can use them?


Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Cade Cairns" <cairnsc () securityfocus com>
To: <webappsec () securityfocus com>
Sent: Thursday, December 05, 2002 5:29 PM
Subject: IIS session cookies


Hello webappsec,

I'm looking for information on how IIS session cookies are 
formed
(that
is, what data they consist of or how they are encoded, etc.) 
Is
anyone
aware of any papers or resources on the subject?

Thanks,

Cade Cairns
Symantec Corporation











Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Current thread: